Imagine this: autonomous vehicles dominate the streets. Unmanned people movers and delivery vehicles powered by environmentally-friendly powertrains find their way among driverless passenger cars which, albeit not actually being driven by anybody on board, elegantly evade bicycles, pedestrians and stationary objects. Traffic incidents and congestion have been reduced to a small fraction of what they previously were. Traffic is fluid. Traffic lights switch to green for emergency vehicles which are given the right of way in real time and smoothly zip through it all.
While the industry has painted this picture for a few years, we are still near science fiction status. But much of it is being worked on as you read this. Robo-taxis are about to hit the streets, and future cars are being architected and programmed today. To allow the fiction to become reality, several things need to be in place. To name just a few: alternative powertrains and the corresponding fuelling/charging infrastructure, artificial intelligence for autonomous vehicle control, and legislation updates. And then there is automotive cyber security, or more accurately, cyber security for the entire ecosystem of automobility.
Cyber security is a make-or-break issue for autonomous cars
Is that really a precondition? Most executives and senior managers have understood the importance of cyber security emotionally, but many still consider cyber security just a cost of doing business, a nuisance best taken care of by the IT or the compliance departments. We beg to differ: comprehensive cyber security beyond compliance is paramount and can make (if done right) or break (if done poorly) the dream of autonomous driving at scale. Here, we outline why.
The days of the car as an almost purely mechanical contraption are long gone and it is now evolving at breakneck speed (no pun intended), from intelligence programmed into embedded control units to a software-controlled, self-learning and self-optimising cyber-physical hybrid—in other words, into a computer on wheels running on digital technology. For now, this technology is quite different from the commodity IT components used in the average personal computer. For a long time, the difference was big enough to provide somewhat of a fence against the standard cyber attacks which have become common in business IT environments.
Yet some of the key ingredients in onboard digital technology—embedded controllers (as used in ESP systems or engine control), centralised vehicle control systems, and infotainment systems—are subject to rapid development speed on the one hand and notable cost pressure on the other. As in other industries (for instance, the electricity industry), previously proprietary hardware and software technology starts to converge towards more familiar, commercial off-the-shelf ingredients like industrial internet of things (IIoT) components, commodity x86 or ARM processors, high-powered PC graphics processing chips (crucial for onboard artificial intelligence capabilities) and third party application software interfaces like Apple CarPlay or Android Auto.
The whole vehicle value chain
This type of change affects the whole vehicle value chain. It increasingly attracts a set of new players—both good and malicious—entering the game from the sidelines, at times running circles around the established automakers. These find themselves drawn from over 100 years on home turf into a much less familiar arena of onboard, edge, fog, and cloud computing, from a hardware/system engineering, sales and leasing business into a software and data business. Also, there are incentives to move from lengthy, specification-driven roadworthiness approval processes to agile minimum viable product thinking and continuous iterations at high frequency.
Most executives and senior managers have understood the importance of cyber security emotionally, but many still consider cyber security just a cost of doing business, a nuisance best taken care of by the IT or the compliance departments. We beg to differ
This type of change also increases the so-called cyber attack surface (the type, extent, and severity of vulnerabilities) of the entire vehicle ecosystem. And this trend towards the use of commercial off-the-shelf commodity IT ingredients increases the size of the talent pool capable of developing and launching successful attacks on a vehicle and/or its ecosystem. Not surprisingly, in a 2014 BCG study, cyber security had already surfaced as one of the chief concerns of surveyed prospective consumers of autonomous vehicles (AVs).
Previously, a malicious actor would need physical access to a car to throw a spanner into the works (or to loosen a few vital bolts). Now, modern cars tend towards being increasingly networked with the outside world, or even nearly ‘always on’. This provides an always accessible remote entry point: where once physical access was required, now only an internet connection is needed from anywhere in the world. And indeed, as was repeatedly demonstrated, a laptop and some relatively affordable additional hardware gadgets, or occasionally even a few lines of—sometimes frighteningly simple—software code delivered through wireless (Wi-Fi or Bluetooth) or wired (for instance, OBD-2 plugs) connections may suffice to open car doors (even while in motion), honk the horn, flash the headlights, crank up the radio volume, extract personally identifiable or location data, or alter navigation system behaviour. The list goes on. Other attacks have successfully managed to steer a car into a ditch, luckily, as a proof of concept in controlled circumstances. But this attack led to the first cyber security-related vehicle recall in automotive history and it affected over a million (!) vehicles, causing anywhere between an estimated US$25m (only looking at recall labour cost) and US$580m (taking the average 2016 cost per car recall of US$416 in the US) in damage. Car makers have responded and scrambled to patch this type of bug.
Modern cars tend towards being nearly ‘always on’. This provides an always accessible remote entry point: where once physical access was required, now only an internet connection is needed from anywhere in the world
Was this bad luck, regrettable oversight of an individual, something that now that the bug has been patched won’t happen again? Unlikely. More likely, it is pointing at a systemic issue beyond individual companies, a tough nut the automotive industry as a whole will need to crack in order to realise the dream of safe, autonomous driving.
A systemic issue
Let’s look at the complexity of the software that controls several current-day vehicles (Fig. 1). It is obvious, automobiles have become incredibly complex, rolling collections of networked computers. The popular pickup truck contains over 100 different computer and controller chips and is run by over 130 million lines of computer code. That is already 20 times more complex than a modern airliner. And road-ready autonomous vehicles are expected to hit 300 million lines of code. Considerable work goes into writing this code, and to quote Joseph Conrad, “It’s only those who do nothing that make no mistakes”. So, let’s next look at the average number of defects per 1,000 lines of code, for which there is ample data in various analyst reports: we see up to 50 defects, thereof about ten critical defects, per 1,000 lines of code. Even if only 1% of these were to impact cyber security, our AV would hit the road with an estimated 30,000 (!) cyber defects hidden in its software guts. These defects can become vulnerabilities able to wreak havoc at large.
To be clear: we are not only looking at potential random quality issues or material fatigue which lead to unintended damages following well-understood statistical distributions. We are now also faced with the risk of deliberate acts of malicious actors intending to cause harm, which may create random collateral damage or strike in a targeted, non-random manner. In other words, while cyber security has much in common with quality management and safety engineering, it adds a fundamentally new edge: in addition to random faults, we are now dealing with human actors who consciously break things because they expect some form of benefit from doing so.
One thing is certain: done right, cyber resilience can provide a robust underpinning for autonomous vehicle innovation. It can even speed it up. Done poorly, cyber-induced incidents will snowball
Combine this with heavy vehicles in an urban environment, and it becomes crystal clear: The number of defects must be reduced (for instance through improved programming practices and continuous patching), and the ways by which the remaining defects could be abused or exploited by malicious actors must be mitigated (for instance through monitoring, blocking, and non-digital fail-safe compensating controls). And since 100% cyber security cannot be attained (just like 100% correct software cannot), it is important to establish systemic resilience against cyber attacks on the vehicle ecosystem.
What needs to be done?
Is this a technology issue, or even just an IT issue? Only partially. First and foremost, cyber resilience is a business issue, against a technical backdrop. A recent BCG study found that 72% of cyber breaches which made the headlines, were due to failures of people, processes, and organisation, whereas technology issues caused only the remaining 28%. So, while technology is important for cyber resilience and companies are starting to invest in cryptography, hardware security modules, identity management, secure bus architectures, tamper proof chip designs etc., it is only the tip of the iceberg.
Looking at the aspiration for autonomous vehicles, automotive companies should increase their efforts to also systematically address the larger part of the iceberg below the waterline. Here are a few thoughts of what needs to be done:
- Treat cyber resilience as a business problem rather than a purely technical problem, and anchor responsibility for it not only in the technology function;
- Take a customer centric point of view; start with the people (customers, employees, garage staff etc.) and look at processes and organisation—then translate into technical requirements;
- Consider the ecosystem perspective and look at cyber resilience upstream, to suppliers, downstream, to dealerships, repair shops and car owners, and sideways, to operators of city infrastructure, other traffic participants, electricity grids etc. As an example, from another industry with a heavily interwoven ecosystem, see the work of the World Economic Forum in collaboration with BCG on ‘Cyber Resilience in the Electricity Ecosystem’;
- Prepare to be held responsible not only for the cyber security of what you produce and control directly in your own company, but also for what you integrate from suppliers and what your dealerships and repair shops do downstream. For automakers, that may mean that they will have to act as an ecosystem orchestrator to ensure end-to-end cyber resilience;
- Adopt a lifecycle view for software, hardware (like onboard control units, ECUs, sensors, actuators etc.), and accompanying services;
- Clarify whose responsibility it is to provide bug fixes, security updates and patches – and for which parts of the vehicle ecosystem. Is it the automaker, the suppliers, other third parties, or all of the above?
- Clarify how long you will assume your part of this responsibility, and establish an architecture that is flexible and modular enough to deliver on this responsibility (for instance through over-the-air software updates and also hardware updates). Customers are unlikely to accept that entire cars have to be replaced just because, for example, encryption technology which was state of the art at the time when the vehicle was designed or placed in the market has been broken by the time the car is delivered;
- Have HSE (health, safety, and environment) and QM (quality management), two disciplines which tend to be very mature in most automotive manufacturers (especially with ISO 26262 Road vehicles—Functional safety), join forces with cyber resilience (See also the forthcoming future ISO 21434 Road vehicles—Cybersecurity engineering). Ultimately, you will want cyber resilience engineered into your products from the beginning, as is now common for quality (which has matured from purely after-the-fact statistical control to preventative up front quality engineering);
- As part of this integration, strengthen monitoring and response capabilities, in processes and products, and implement out of band compensating control mechanisms, like for instance the fail-safe equivalent to an emergency power off (EPO) switch on the dashboard;
- Build an organisation and hire people capable of driving and doing all this. Really.
Obviously, there is more to it, but one thing is certain: done right, cyber resilience can provide a robust underpinning for autonomous vehicle innovation. It can even speed it up. Done poorly, cyber-induced incidents will snowball, having the potential to harm the environment, injure people (or worse), and ultimately cause public perception to tip or regulatory action to kill the dream of nearly frictionless traffic. The choice is up to all the players in the automotive ecosystem. The time to act is now.
About the authors: Stefan A. Deutscher is a Partner and Associate Director for Cyber security & IT Infrastructure at the Boston Consulting Group and BCG’s global topic leader for cyber security. Alex Koster is MD and Partner at BCG and an expert for digital transformation and software in automotive. Christoph Gauger is MD and Partner at BCG and leads BCG’s Global Center for Digital in Automotive
This article also appeared in Automotive World’s October 2019 report, ‘Special report: Why cyber security is essential for autonomous vehicle success’, which is available now to download